Comment by chatmasta

It depends how your product is distributed. Is it a static binary or a website where users don’t interact with the source code? Then dependency updates are less important.

Is it an open source package where every user inherits your dependencies? Then dependency updates are important.

The immediate benefits (or lack thereof) all come down to user impact. The longer term benefits are a balancing act between opportunity cost (what could you be developing instead of updating?) and tech debt (if you don’t update frequently, you’ll eventually need to do a really painful one).

I’d say the most important thing is making sure your project will build successfully in five years even if you do no updates. Make sure all dependencies are cached, versions pinned, lockfiles used, etc. As long as your build process is deterministic, and you control when updates happen, then “when to update” is a manageable problem. You get into trouble when your tools are pulling in minor updates to dependencies just because the author pushed a new version. Don’t do that. Pin your versions.